Which SIEM platforms have a T1087.003 detection rule?

df00tech provides T1087.003 (Email Account) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Email Account (T1087.003)?

Detecting Email Account requires the following data sources: Process: Process Creation, Command: Command Execution, File: File Access, Microsoft Defender for Endpoint.

What severity and confidence is the T1087.003 detection?

The T1087.003 detection is rated medium severity with high confidence.

What are common false positives for T1087.003?

Common false positives for T1087.003 include: Exchange administrators legitimately running Get-GlobalAddressList or Get-Recipient cmdlets for address book management or auditing; Email migration tools (MigrationWiz, Bit Titan, IMAPMIG) accessing PST/OST files or querying address lists during migration projects; Backup software (Veeam Backup for Microsoft 365, Barracuda) accessing Outlook data files as part of scheduled backup jobs.

T1087.003 Elastic Security · Elastic

Detect Email Account in Elastic Security

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs). In on-premises Exchange and Exchange Online, the Get-GlobalAddressList PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session. Threat actors including Magic Hound, TA505, RedCurl, and Sandworm Team have leveraged this technique using tools like MailSniper, Ruler, and custom malware to harvest email account information for reconnaissance, phishing, and lateral movement.

MITRE ATT&CK

Tactic: Discovery
Technique: T1087 Account Discovery
Sub-technique: T1087.003 Email Account
Canonical reference: https://attack.mitre.org/techniques/T1087/003/

Elastic Detection Query

Elastic Security (Elastic)

eql

any where
  (
    event.category == "process" and
    event.type == "start" and
    process.name : ("powershell.exe", "pwsh.exe") and
    (
      process.command_line : (
        "*Get-GlobalAddressList*",
        "*Get-AddressList*",
        "*Get-OfflineAddressBook*",
        "*Get-Recipient*",
        "*Get-MailUser*",
        "*Get-Mailbox*",
        "*MailSniper*",
        "*Invoke-GlobalO365PasswordSpray*",
        "*Invoke-SelfSearch*",
        "*Invoke-PasswordSprayOWA*",
        "*Invoke-PasswordSprayEWS*",
        "*Connect-ExchangeOnline*",
        "*ExchangeManagementShell*",
        "*ruler*gal*",
        "*ruler*dump*",
        "*ruler*enum*",
        "*ruler*brute*",
        "*New-PSSession*exchange*",
        "*New-PSSession*outlook.office365.com*"
      ) or
      (
        process.command_line : "*ldap*" and
        process.command_line : ("*proxyaddresses*", "*targetaddress*", "*msexch*")
      )
    )
  ) or
  (
    event.category == "file" and
    file.path : ("*.pst", "*.ost") and
    not process.name : (
      "outlook.exe",
      "svchost.exe",
      "services.exe",
      "msedge.exe",
      "microsoftedge.exe",
      "MsMpEng.exe"
    )
  )

high severity high confidence

Detects T1087.003 email account enumeration via PowerShell GAL cmdlets (Get-GlobalAddressList, Get-Mailbox, Get-Recipient, etc.), MailSniper toolkit invocation, Exchange Online remote session establishment, Ruler tool GAL dumping, LDAP queries targeting Exchange-specific AD attributes (proxyAddresses, targetAddress, msExch*), and non-Outlook processes accessing PST or OST files. Covers both on-premises Exchange and Exchange Online attack paths used by threat actors including Magic Hound, TA505, RedCurl, and Sandworm.

Data Sources

Elastic Endpoint Security agent (Windows process events)Windows Sysmon via Elastic Agent or WinlogbeatWindows Security Event Log via Winlogbeat (EventID 4688 with command-line auditing enabled)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-* (with process.command_line populated via EventID 4688).ds-logs-endpoint.events.process-*

False Positives & Tuning

Exchange administrators legitimately running Get-Mailbox, Get-Recipient, or Get-GlobalAddressList cmdlets for mailbox reporting, compliance exports, GAL synchronisation, or address book maintenance tasks as part of approved IT operations
Email migration tools such as BitTitan MigrationWiz, Quest Migration Manager, or Microsoft-native IMAP migration scripts that enumerate address lists and access PST/OST files during planned migration windows
Enterprise email backup and archiving software (Veritas Enterprise Vault, Commvault, AvePoint, Veeam Backup for Microsoft 365) accessing PST or OST files during scheduled archive or backup jobs
IT provisioning automation scripts using Exchange PowerShell cmdlets (Get-MailUser, Get-Recipient) to validate email routing or automate user onboarding and offboarding workflows via ITSM integrations
Authorized red team or penetration testing engagements using MailSniper or Ruler under documented scope agreements

Download portable Sigma rule (.yml)

Other platforms for T1087.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Get-GlobalAddressList via PowerShell (Exchange Online)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList', 'Connect-ExchangeOnline', and 'Export-Csv'. PowerShell ScriptBlock Log Event ID 4104 with the full enumeration script. If connection succeeds, Sysmon Event ID 3 showing network connection to outlook.office365.com:443. Sysmon Event ID 11 for gal_output.csv file creation in %TEMP%.
Test 2MailSniper Get-GlobalAddressList Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-GlobalAddressList' and '-ExecutionPolicy Bypass'. PowerShell ScriptBlock Log Event ID 4104 with the simulated MailSniper command syntax.
Test 3LDAP Query for Email Attributes
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'DirectorySearcher', 'mail', and 'proxyAddresses'. Sysmon Event ID 3: Network connection to domain controller on port 389 (LDAP) or 636 (LDAPS). PowerShell ScriptBlock Log Event ID 4104 with the full LDAP query. Sysmon Event ID 11 for ldap_emails.txt creation.
Test 4Non-Outlook Process Accessing Outlook PST File
Expected signal: Sysmon Event ID 11: File Create/Access events for any .pst or .ost files found, with InitiatingProcess=powershell.exe. Sysmon Event ID 1: Process Create with Image=powershell.exe accessing Outlook profile directory. PowerShell ScriptBlock Log Event ID 4104 with the PST enumeration code.

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1087.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Email Account in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1087.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1087.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox